GDPR

We comply with GDPR Privacy requirements. These requirements cover the below elements. More details on the GDPR elements are available in the Data Privacy & Ethics Policy:

DATA PROCESSING AGREEMENT

INNOVISOR as data processor:

-processes the Personal Data of the Client only in accordance with General Data Protection Regulation

-ensures that all employees accessing the Personal Data are aware of the terms of the agreement and bound by a commitment of confidentiality

SECURITY OF PROCESSING

INNOVISOR as data processor:

-agrees to implement appropriate technical and organizational measures to ensure a level of security appropriate to risk such as secure file transfer, storage and segregation from other project data

MONITORING & NOTIFICATION

INNOVISOR as data processor:

-assists the Client in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR, such as security notification of data breaches, communication of data breaches to individuals, data protection impact assessments and – when necessary – consultation with independent authority on the country where Personal Data is processed

-notifies the Client and its individual employees of any risk within three (3) business days

GIVE & WITHDRAW CONSENT

INNOVISOR as data processor:

-obtains consent for Personal Data through either (1) the performance of a contract issued by the Client, or (2) the acceptance of the terms by the employee prior to starting the survey for data collection

-ensures it is easy for an individual employee at the Client to withdraw consent as it is to give it

RIGHT TO ACCESS & TO BE FORGOTTEN

INNOVISOR as data processor:

-provides individuals at the Client the right to obtain access to their personal data available by to Innovisor

-provides individuals at the Client the right to erase and rectify their Personal Data

-deletes the Personal Data twelve (12) months after the end of the Services – unless otherwise is agreed with the Client

-provides certification of destruction of all Personal Data to the Client

PRIVACY & ETHICS POLICY

How we use your information and Personal Data?

Generally, we use your information and Personal Data to provide you with our Services. In addition, we use your information and Personal Data in other specific ways:

1.1 To provide you with our customer support services

We provide you with customer support which requires us to access your information and Personal Data to assist with, for instance, technical troubleshooting.

1.2 To manage our Services

We internally use your data, for the following limited purposes:

1.2.1 To monitor, maintain, and improve our services and features.

We internally perform statistical and other analysis on information and Personal Data we collect (including usage data, and question and response data) to:

benchmark across industry vertically;

analyze and measure user behavior and trends in order to understand how people use our Services, and;

to monitor, troubleshoot and improve our Services.

When we do this, no individual survey respondents will be identified.

1.2.2 To prevent potentially illegal activities.

1.2.3 To develop aggregated benchmarks

We may use your data and the client organization metadata in aggregated form for the development of benchmarks. We may look at statistics like averages and distributions of responses belonging to an organizational level, such as business unit, region and age and tenure group.

When we do this, no individual diagnostic respondents will be identified.

1.2.4 To respond to legal requests and prevent harm.

If we receive a subpoena or other legal request, we may need to inspect the data we hold to determine how to respond.

2. With whom do we share or disclose your personal information and data

Individual responses will not be shared with anyone outside Innovisor, because we recognize that you have entrusted us with safeguarding the privacy of your information. Trust is very important to us. That is why the only time we will disclose or share your personal information or diagnostic data with a third party is when we have done one of the two things, in accordance with applicable law: (a) given you notice; or (b) de-identified or aggregated the information so that individuals or other entities cannot reasonably be identified by it. Where required by law, we will obtain your express consent prior to disclosing or sharing any information or Personal Data.

We may disclose:

2.1 Your information to our service providers

We use third-party service providers who help us to provide you with our services. We give relevant persons working for the providers access to your information, but only to the extent necessary for them to perform their services for us. Examples of service providers include online survey vendor, hosting services, email service providers, and other IT Solution Providers.

2.2 Aggregated or de-identified information to third parties to improve or promote our Services

No individuals can reasonably be identified or linked to any part of the information we share with third parties to improve or promote our services.

2.3 Your information if required or permitted by law

We may disclose your information as required or permitted by law, or when we believe that disclosure is necessary to protect our rights, and/or to comply with a judicial proceeding, court order, subpoena, or other legal process served on us.

3. What are your rights to your information?

3.1 Access/Update/Delete

If you want to access, update, or delete anything in your master data or responses, you may request access to and correction of the information and Personal Data we hold about you by contacting customer support on dataprivacy@innovisor.com

You can obtain the following from Innovisor:

Confirmation that your data is being processed

Access to your personal data; and,

Other supplementary information

This information will be provided to you without delay and at the latest within one month of the request receipt.

In the message to our customer support you should provide us with information the questions before a request can be processed:

Are you an EU resident, an EU company, or an EU organization?

What company do you work for?

What are you requesting? Right to be informed [?], right of access [?], right to rectification [?], right to erasure [?], right to restrict processing, [?], right to data portability [?], and right to object [?]

4. What security measures and procedures are taken?

You have entrusted us with your information and Personal Data. We therefore take the security seriously. We never stop working to ensure your information and personal data are secure. We follow industry standards and have developed our own best practices to stay ahead of any changes or challenges.

4.1 Security control on the level of human resources

4.1.1 Background verification.

All employment candidates, contractors and third parties are subject to background verification. Employees sign both a nondisclosure agreement and a statement of understanding after the Information Security Awareness Training.

4.1.2 Information security awareness training.

All employees receive information security awareness training once a year. The training is around understanding the company’s policies and the handling of information and Personal Data in a secure way.

4.2 Security controls on the level of information technology

4.2.1 IT Governance framework.

We implement the general requirements of ISO 27002-2013

4.2.2 IT Equipment.

All employees are issued Innovisor-owned equipment, and all Innovisor-owned equipment is managed by the office IT Information Security Manager. Per company’s policy, employees cannot store your information and Personal Data on removable media. If the Innovisor-owned equipment is being disposed, the IT Information Security Manager removes data by considering the following steps:

overwrite data on the device (e.g., overwrite a device with binary zeroes or random data under Unix), and;

re-install an operating system on the drive.

4.2.3 Antivirus.

We use antivirus software on endpoints and servers that store, transmit or process your information and Personal Data. The antivirus signature files are kept up to date and system and security patches are applied in a timely manner to the endpoints and servers that store, transmit and process the personal information and data.

4.2.4 Timeout period on applications.

We institute an inactivity period on applications and systems that are used to store, transmit, process or access your personal information and data.

4.2.5 Third Party Service Providers

We use third-party service providers which are all cloud hosted. Their data centers are located in the European Union and all communications are sent over SL/TLS connections. Secure Sockets Layer (SSL) and Transport Layer Security technology protect communications by using both server authentication and data encryption. We have adopted storage and transmission practices of the most secure institutions in the world by using 256-bit AES encryption to encode data during storage and transmission. This ensures that information and personal data in transit is safe, secure, and available to intended recipients.

4.2.6 Passwords.

We impose a minimum password length and complexity on any of the SaaS vendors and IT equipment. Passwords must be:

at least 8 characters in length;

not be equal to current and previous passwords;

not be a single word that appears in the dictionary, and;

composed only of characters in the Roman alphabet, numbers, or symbols on the US keyboard.

The Innovisor password policy also mandates new password after three months.

After ten failed login attempts, the user account will be locked out and user will be requested to contact the IT Information Security Manager to re-activate the account.

4.3 Changes to this privacy & ethics policy

We may modify this Policy at any time to make sure your information and Personal Data are protected anytime. If we do so, we will provide you with additional, prominent notice as is appropriate under the circumstances.